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Method of and system for geneiatmg aa Authorized Domain 



The invention relates to a method of generating an Authorized Domain. The 
invention further relates to a system for generating an Authorized Domain. Further, the 
invoition relates to a computer readable medium having stored thereon instructions for 
causing one or more processing units to execute the metiiod according to the invention. 
5 Additionally, the invention relates to an Authorized Domain and an Authorized Domain that 
has been generated by the method and/or the system according to the present invention. 

In recent years, the amount of content protection systems is growing in a rapid 

10 pace. Some of these systems only protect the content against illegal copying, while others are 
also pmhibiting the user to get access to the content. The first category is called Copy 
Protection (CP) systems. CP systems have traditionally been the main focus for consumer 
electronics (CE) devices, as this type of content protection is thought to be cheaply 
implemented and does not need bi-directional interaction with the content provider. Some 

15 examples are tiie Content Scrambling System (CSS), the protection system of DVD ROM 
discs and DTCP (a protection system for IEEE 1 394 connections). 

The second category is known under several names. In the broadcast world, 
systems of this category are generally known as conditional access (CA) systems, while in 
the Internet world they are generally known as Digital Rights Management (DRM) systems. 

20 A home network can be defined as a set of devices that are interconnected 

using some kind of networic technology (e.g. Efliemet, IEEE 1394, BlueToolh, 802.11b, 
802.1 Ig, etc.). Although network technology allows the different devices to communicate, 
this is not enough to allow devices to interoperate. To be able to do this, devices need to be 
able to discover and address the functions present in the other devices m the network. Such 

25 interoperabihty is provided by home networking middleware. Examples of home networking 
middleware are Jini, HAVi, UPnP, AVC. 

The concept of Authorized Domains (ADs) aims at finding a solution to both 
serve the interests of the content owners (that want protection of their copyrights) and the 
content consumers (that want unrestricted use of flie content). The basic principle is to have a 



Best Available Copy 

PHNL040315EPP 

2 26.03.2004 

controUed netwoik environment in which content can be used relatively fieely as long as it 
does not cross the border of the authorized domain. Typically, authorized domains are 
centered around the home environment, also referred to as home networks. Of course, other 
scenarios are also possible. A user could for example take a portable device for audio and/or 
video with a limited amount of content with him on a trip, and use it in his hotel room to 
access or download additional content stored on his personal audio and/or video system at 
home. Even though the portable device is outside the home network, it is a part of the user's 
authorized domain. In this way, an Authorized Domain (AD) is a system that allows access to 
content by devices iii die domain, but not by any others. 

For a more extensive introduction to the use of an Authorized Domain, etc., 
see S.A J.A. van den Heuvel, W. Jonker, F.L.A.J. Kampmaan, P.J. Lenoir, Secure Content 
Management in Authorised Domains, Philips Research, The Nelberiands, IBC 2002 
conference pubHcation, pages 467-474, held at 12-16 September 2002. 

Various proposals exist that implement the concept of authorized domains to 

some extent. 

One type of previous solutions include device based Authorized Domains 
(AOs). Examples of such systems are SmarfRight (Thomson Multimedia), xCP, and 
NetDRM (Matshushita). A ftirther example of a device based AD is e.g. given m 
international patent ^plication WO 03/098931 (attorney docket PHNL020455) by the same 

qjplicant. 

In typical device based ADs, the domain is formed by a specific set of devices 
and content. Only the specific set of devices of the domain is allowed to access, use, etc. the 
content of that domain. There is not made any distinction of the various users of the specific 
set of devices. 

A drawback of device based AD systems is lhat they typically do not provide 
the typical flexibility d»at a user wants or need, since users are restricted to a particular and 
limited set of devices. In this way, a user is not allowed to exercise the rigihts that the user has 
obtained anytime and anywhere he chooses. For example, if a user is visiting a fiiend's house 
he is not able to access his legally purchased content on the fiiend's devices as these devices 
would not typically be part of the particular and limited set of devices forming the domain 

- Gomprising-flie-user^s content- -- — - - - •- - • 

-?agtigr'typ-e-gfprevi DU8 solu l Lous is peison b asedAulhorizedSemansr 



where the domain is based on persons instead of devices as was the case for device based 
ADs. An example of such a system is e.g. described in international patent ^plication serial 
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number IB2003/004538 (attorney docket PHNL021063) by the same applicant, in which 
content is coupled to persons which then are grouped into a domain. 

In a typical person based AD access to content bound to that AD is allowed by 
only a specific and limited set of users, but e.g. using any compliant device. Person based 
5 Authorized Domains typically offer easier domain management compared to device based 
ADs. 

However, person based systems require person identification which is not 
always convenient or preferred by users. Further, a visitor to your home may want to access 
your content. As he does not have a person id device for that domain it is not possible for him 

10 to access content It would be preferred if devices in the home belonging to the domain could 
enable access of domain content by the visitor. 

Therefore there is a need for a hybrid person and device based authorized 
domain having the individual advantages of each system. Such a hybrid person and device 
based authorized domain is proposed in European patent application serial number 

15 03 1 0228 1 .7 (attorney docket PHNL030926) by the same ^licant. In that application an 

Authorized Domain (AD) is proposed which conibines two difEerent approaches to define an 
AD. The connecting part between the device and the person approach is a Domain Identifier. 
The devices are preferably grouped together via a domain devices certificate (DDC), while 
the persons preferably are separately grouped via a domain users certificate (DUG) and 

20 where content is directly or kidirectly linked to a person. A schematic representation of such 
an Authorized Domain (AD) can be seen in Figure 1 , and will be explained in greater detail 
in the following. 

However, this AD has the disadvantage that when content is imported into the 
domain (an action typically done on a device), e.g. firom a delivery DRM and/or CA system, 

25 it is not directly clear to which person the content has to be attributed. In other words, at the 
moment of import^ the system needs additional information of whom it must link the content 
to. Therefore there is a need for a simple implementation where the information Ho whom 
belongs content imported in the domain' is easily and/or directly obtainable. 

An additional jxroblem is that no simple and effective domain boundary is 

30 available. In prior art systems/melfaods, domain boundaries are typically defined by a 

maximum number of devices, a limited number of sessions, etc., which are eitiiier technically 
difiBcult to implement or easy to inqilement but then do not provide the desired 
characteristics of a domain boundary. An example of the first is e.g. letting all persons to a 
household be in the domain wherever Ihey are using any device they possess. Setting a limit 
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for the number of devices or sessions in the donaato gives the disadvantage that this ^proach 
does not scale with the number of users using the Aulhoiized Domain (AD). Therefore there 
is a need for a simple and more scalable implementation of the domain boundary. 



It is an object of the invention to provide a meAod and corresponding system 
for providing/generating an Authorized Domain structure based on both persons and devices 
that solves Ihe above-mentioned shortcomings of prior art A further object is to provide this 

in a simple, flexible and efficient way. 

These objects, among others, are achieved by a method (and correspondmg 
system) of generating an Authorized Domain, fbe method comprising the steps of selecting a 
domain identifier uniquely identiiying the Authorized Domain, binding at least one user to 
the domain identifier, binding at least one content item to at least one user, and binding at 
least one device to at least one user, thereby obtaining a number of devices and a number of 
users that is authorized to access a content item of said Authorized Domain. 

to this way, a number of verified devices and a number of verified persons that 
is authorized to access a content item of said Authorized Domain are obtamed. Additionally, 
it is possible to enable automatic assignment of imported content being imported on a device 
belonging to the Authorized Domain (AD) smce it now is given to which person a given 

authorized device belongs to. 

Further, a simple and efficient way of implementing domain boundaries is 
enabled, since the domain boundaries may be coupled to users only (as now botii devices and 
content are coupled to users). In this way. the domain boundary becomes less rigid and scales 
better. 

Additionally, a simple and efficient way of grov?>ing devices and persons to an 
AD is obtained. Furflier, a hybrid device and person based Authorized Domain is provided. 
In this way, access is enabled to a content item of an authorized domain by a user operating a 
device either by veri^g that the owner of a content item and the user is linked the same 
domam or by verifying that the owner of the device and the owner of the content item is 
lixdced to the same domain. Thereby, enhanced flexibility for one or more users when 
- accessingcontentinanaufhorizeddomain is.obtainfid..whfle.security of the.cont«it is.still. 



In one embodiment, 
- each device may be bound to only a single user, or 
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- each device may be bound to several users, where one user is indicated as a primary user for 
that particular device. 

In one embodiment the method further conipiises the step of: 

- importing, on a given device, at least one content item into Ihe Aulhorized Domain given by 
S the domain identifier by 

- automatically binding, by default, the at least one imported content item to the single user 
that the given device is bound to or to the user (PI, P2, PNi) indicated as primary user for 
the given device, or 

- binding the at least one imported content item to another user using additional information, 
10 when non-de&ult binding is to be used. 

In one embodiment, the method further comprises 

- providing an Authorized Domain size limitation, where the limitation relates to a maximum 
number of users. 

Further, a limit can be put on the maximum number of devices per user, 
15 thereby making the total number of devices in the domain d^endent on the number of . users. 

In one embodiment, the method further comprises 

- using a user identification device as a personal Aulhorized Domain manager, and^or 

- using a personal mobile device as a personal Authorized Domain manager, and^or 

- using a mobile phone as a personal Authorized Domain manager, and/or 

20 - using a PDA (phonal digital assistant) as a personal Authorized Domain manager. 

V 

In one embodiment, the step of binding at least one user to the domain 
identifier comprises: 

- obtaining or generating a Domain Users List comprising the domain identifier and a unique 
identifier for a user thereby defining that the user is bound to the Authorized Domain. 

25 In one embodiment, the step of binding at least one device to at least one user 

comprises 

- obtaining or generating a Device Owner List comprising a imique identifier for a user and a 
unique identifier for each device belonging to the user thereby defining that the at least one 
device is/are bound to the user, 

30 - or in lhat the step of binding at least one device to at least one user comprises 

- obtaining or generating a Device Owner List for each device to be bound, the Device 
Owner List comprising a unique identifier for a user and a unique identifier for a device 
belonging to the user thereby defining that the device is bound to the user. 
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In one embodiineait, the step of binding at least one content item to the 
Authoiized Domain conq>rises: 

- binding a content item to a User Right, where said User Right is bound to a user bound to 

the Authorized Domain. . 

In one embodiment, the User Right comprises rights data representing which. 

rights exists in relation to Ihe at least one content item bound to the User Right 

In one embodiment, the method further conqmses the step of controlling 
access, by a given device being operated by a given user, to a given content item, the step 
coicpiising: 

. checking whfilher a user, the given content item is linked to, and a user ,the given device is 
linked to, belongs to the same Authorized Domain, and allowmg access for the given user 
and/or other users via the given device to the content item if so, 
and/or 

- checking if the given content item is linked to a user belonging to the same Aulhonzed 
Domain as the given user, and allowing access for Ihe given user.via the g^en device and/or 

other devices to the content item if so. 

m one embodiment, the method further comprises ihe step of controlling 
access, by a given device being operated by a given user, to a given content item being bound 
to the Aufliorized Domain and having a unique content identifier, comprising: 

checking if the Domain User List of Ihe Authorized Domain conges both a first user 
identifier, comprised in a Device Owner list con^sing an identifier of the given device, 
and a second user identifier, linked to Ihe given content item, thereby checkmg if the user 
bound to the given device is bound to the same Authorized Domain as the user bound to the 
content item, and 

. allowing access to the given content item by the given device operated by any user 

and/or . , , 

. checking if the Domain User List of the Authorized Domain, that the content item is bound 

to, comprises a user identifier of fiie given user thereby checking if the given user is bound to 
the same Authorized Domain as the content item, and 

- allowing access to the given content item by any device including the given device operated 

- -by the 'given user. — - •- - - ^ " 

Bwe-gmbodime nn the step uf co n troffinraeeess^^ven^ntent^tem 
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- checkmg lhat fhe User Right for the given content item specifies that llie given user has Ibe 
right to access the given content item and only allowing access to the given content item in 
the a£Brmative. 

In one embodimeiit, eveiy content item is encrypted and that a content right is 
5 bound to each content item and to a User Right, and lliat the content right of a given content 
item comprises a decryption key &r decrypting flie given content item. 

In one embodiment, 

- the Domain Users List (DUG) is implemented as or included in a Domain Users Certificate, 
and/or 

10 - the Device Owner List (DOC) is implemented as or included in a Device Owner Certificate, 
and/or 

- the User Sight is implemented as or included in a User Right Certificate. 

Advantageous embodiments of tiie system according to the present invention 
are defined in the sub-claims and desoibed in detail in the following. The embodiments of 
IS system correspond to the einbodiments of the method and have the same advantages for the 
same reasons. 

Further, the invention also relates to a computer readable medium having 

stored Ihereon instructions for causing one or more processing units to execute the method 

according to the present invention. 
20 The invention also relates to an Authorized Domain (AD) that has been 

generated by the method or by the system according to the present invention. 

Further the invention also relates to an Authorized Domain (AD) structure 

comprising a domain identifier uniquely identifying the Authorized Domain, a representation 

of at least one user bound to the domain identifier, a representation of at least one content 
25 item bound to at least one user, and a representation of at least one device bound to at least 

one user, thereby defining a number of devices and a number of users that is authorized to 

access a content item of said Authorized Domaia. 

30 These and other aspects of the invention will be apparent firom and elucidated 

with reference to the illustrative embodiments shown in the drawings, in which: 

Figure 1 schematically illustrate a hybrid device and person based Authorized 
Domain (AD) according to prior art; 
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Figure 2a schematically illustrate a hybrid device and person based Authorized 

Domain (AD) according to the present invention; 

Figure 2b illustrate how each content item is linked to persons via a user right 

according to one embodiment of the present invention; 

Figure 3a schematically illustrate Uie coupling between users and devices 

according to a first aspect of the present invention; 

Figure 3b schematicaUy illustrate the coiq>ling between users and devices 

according to a second aspect of tiie present invention; 

Figure 4 schematically illustrate fte elements of a Domain Users Certificate 

(DUG); 

Figure 5 Utastrates an exemplary (partial) data structure of a content container, 
a content right (CR) and a user right certificate (URC) according to the embodiment of the 

present invention shown in Figure 2a; 

Figure 6 schematically illustrate an exemplary system coii?»rising devices and 

persons forming an 

Throughout tbe figures, same reference numerals indicate similax or 

corresponding features. Some of the features indicated in the drawings ate typically 
implemented m software, and as such represent software entities, such as software modules 

or objects. 



Figure 1 schematicaUy illustrate a hybrid device and person based Aulhorized 
Domain (AD) according to prior art. Such a hybrid device and person based aulhorized 
domain is disclosed in European patent application serial number 03102281.7 (attorney 
docket PHNL030926) by the same applicant. Shown are an authorized domain (100) where a 
nmnber of devices Dl, D2, D3, .... DM (where M is equal to or larger than 1), a number of 
content items CI, C2. C3, . .., CN^ (^ is equal to or larger than 1) and a number of 
persons/users PI, P2, P3. .... PNx (whereN, is equal to or larger than 1) is bound to the AD. 
Please note that M, Nl and/or N2 may initially or at some time later be 0 in some states. The 
devices persons, and content items have been bound to the domain (100) via a domain 
-identifier <Domain^ro)-(10l).31ie.contentitems.(Cl.,.C2.Q3...,.,.g^^^ 

-use^TP17P27T37:7T7Wi)wu^ 
one content item is associated with one user right certificate specifying which rights a given 
person (or alternatively a given gro^ of persons and/or all persons bound to the domam 
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(100)) have in lelation to the sfpecific content item (or altematiyely, several or all content 
items in the domain (100)). In another embodiment of European patent application serial 
number 03 10228 1 .7 (attomey docket PHNL030926), the content items (CI , C2, C3, . . CN2) 
are connected to the Domain Identifier (1 01) via one or more Donciain Rights (DRC) (not 
5 shown), e.g. implemented as a certificate. 

For more information on an authorized domain architecture and 
in:iplementation options, the reader is referred to international patent application WO 
03/047204 (attomey docket PHNL010880) by the same ^plicant or intemational patent 
plication WO 03/098931 (attomey docket PHNL0204SS) also by the same applicant The 

10 latter application more specifically describes an implementation in which content and devices 
are coiqsled to a domain. Additionally, intemational patent stpplication serial number 
IB2003/004S38 (attomey docket PHNL021063) by the same applicant describes an 
implementation in which content is coupled to persons which then are grouped into a domain. 

Authorized devices are preferably bound to the AD (100) by a certificate. 

IS Likewise authorized persons/users are preferably also bound to the AD (100) via certificates. 
Content items are, in this particular embodiment, bound to a person by means of a user right 
certificate (URC). This user right certificate enables the use of a corresponding content right 
(CR) that preferably contains a cryptographic key for accessing the content, as will be 
explained in greater detail in connection with Figine 5. A user right certificate (URC) is 

20 . typically linked with one content item, but could also be linked with multiple content items. 
An exemplary partial data structure of a content container (contains a content item), a URC, 
and a CR are shown and explained in greater detail in coxmection with Figure 5. 

Domain certificates are preferably issued by a domain authority. Alternatively, 
compliant devices with domain management capabilities can manage these certificates. 

25 In the specific example shown in Figure 1, each content item C 1, C2, . . CN 

is coupled (via URC(s)) to person PI, Cn+i is coupled to person P2, and where Cn+2 - Cn2 are 
distributed among person(s) P3-PNi. 

A given content item is preferably only allowed to be coiq;>led to a single URC 
(indirectly via a content right) and thereby a single person. If several users needs a copy of 

30 the same content item it would in this embodiment be present once for each user and treated 
as different content items, which make rights management simpler. Alternatively and just as 
applicable, a given content item could be coupled to multiple persons, as a CR can be linked 
to multiple URCs. 
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Peisons PI, P2, PNi and Domain devices Dl, D2, .... DM are iJien 

groiq>ed into fonning the authorized domain (1 00). 

The binding i.e. gioi5>ing and couplmg, of devices, persons and content is 
done by the use of certificates. Preferably, a Domain Devices Certificate or Domain Devices 
List (DDC), a Domain Users Certificate or Domain Users List (DUC), and a User Right 
Certificate or User Right List (URC) are used. In flie following reference is only made to 
certificates, although it is to be understood tiiat such structures may e.g. be hnplemented as 

lists or the like instead. 

The DDC Usts the devioe(s), which are part of the domain (100), e.g. by 
comprising for each device a unique identifier. The DUC Hsts the user(s), which are part of 
the domain, e.g. by conqoising a unique identifier or a (e.g. public) cryptogr^c key or a 
hash hereof for each user. The URC preferably exist for each content item (so in Figure 1 
there are N2 URCs) and indicates which rights the user (lhat the URC is linked to) has (and/or 
does not have) within the domain (100), and optionally a cross domain (X-AD dghts), for the 
15 given content item linked to the URC. Alternatively, an URC coi^led to a given user e.g. 
Usts each content item that is coupled to flie given user and what rights flie given user has in 
relation to each coupled content item. Alternatively, only a single URC is used speci^g lie 
rights for every user. i.e. which content item(s) each user has coupled to him/her and what 
rights the user has (and/or does not have). 
20 The DDC and DUC are associated wilh each other by means of a Domain 

Identifier (Domam_ID) (101) contained in both certificates. 

In the prior art, if a specific device (e.g. device D3) wants to access a certain 
piece of content (e.g. content CI) it has to be proved or checked, etc. (using the certificates) 
that the certain piece of content is coupled I0 a specific person (e.g. person PI) lhat is a 
25 member of the same domain (100) as the specific device. This may e.g. by done by checkmg 
that an (unique) identifier of the specific device (e.g. device D3) is part of the DDC, lhat an 
(unique) identifier of Ihe specific person (e.g. person PI) is part of the DUC, that both the ^ 
DDC and DUC comprises the same Domain Identifier (e.g. Domain.ID = 4 or Domam.ID - 
8 byte value (e.g. generated randomly); not shown), and that the URC for Ihe specific person 
30 (e g URCl) specifies that the specific person has the right to access the certain piece of 
content-(e.g.ifit.iswithinthe-vaHdity-periodofhislicense« 
.u,.^ .U. I Ai tsttiaiivdvrtiro^main ID ma y iusteadrofbeing-a^randonrr 



reference to a data object e.g. a domain certificate. 
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However, this AD has the disadvantage that when content is imported into the 
domain (an action typically done on a device), e.g. from a delivery DRM and/or CA system, 
it is not directly clear to which person the content has to be attributed. In other words, at the 
moment of in^rt, the system needs additional information of whom it must link the content 
5 to. 

Further, no simple and effective domain boundary is available. Domain 
boundaries are typically defined by a naximum number of devices, a Ihrdted number of 
sessions, etc., which are either technically difficult to implement or easy to implement but 
then do not provide the desired characteristics of a domain boundary. An example of the last 

10 is e.g. letting all persons to a household be in the domain wherever they are using any device 
they possess. Such a domain boundaiy is not useful. Additionally, setting a limit for the 
number of devices or sessions in the domain gives the disadvantage that this approach does 
not scale with the number of users using the Authorized Domain (AD). 

Figure 2a schematically illustrate a hybrid device and person based Authorized 

IS Domain (AD) according to the present invention. Shown is an Authorized Domain (AD) 
corresponding to the one shown in Figure 1 with exceptions as explained in the following. 

ft 

Instead of linking authorized devices of the domain directly to the domain identifier 
(Domain_ID) (101), as in Figure 1, devices are now linked to persons, or more specifically, 
each device is linked to a person (could it generally be persons??, i.e. more than one person 
20 has ownership over a single device) that has ownership over the particular device. In the 

shown embodiment, each device is linked only to a single person, whereby the ownership of 
the device is easily reflected. Alternatively, each device may be linked to more than one 
person. 

Shown is an Authorized Domain (AD) (100) where a number of persons/users 
25 (PI , P2, . . PNi) are bound to a domain identifier (Domain_ID) (1 01), as explained in 

connection with Figure 1, Further, a number of content items (CI, C2, C3, CN2) is hnked 
to the users, as explained in coimection with Figure 1. 

In ihe specific example shown in Figure 2a, content item CI, C2, . . CN is 
coupled (preferably via URC(s) as explained in greater detail in coimection with Figure 2b) 
30 to person PI, Cn+i is coupled to person P2, and Cn4-2 - Cm are distributed among person(s) 
P3-PNi. 

According to the present invention, a number of authorized devices (Dl, D2, 
D3, . . DM) (where M is equal to or larger than 1) is bound to the users of the Authorized 
Domain (AD) (100), where the binding reflects that a given user has ownership of the bound 
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device. Preferably, authorized devices are bound to the users (and thereby the AD (100) ) by 
a Device Owner Certificate (DOC), list or other suitable structure. In one embodiment, a 
DOC exists for each device (as described in connection wifli Figure 3a) defining which user 
(or users) has ownership of the given device. Alternatively, a DOC exist for each person (as 
described in connection with Figure 3b) defining which devices within the domain that user 
has ownership over. In yet anoflier alternative embodiment, device may indicate to whom it 
belongs, e.g. by providing a DOC, list or other suitable structure. 

In the specific example shown in Figure 2a, device Dl and D2 are coupled to 
user PI. D3 is coupled to user P2, and D4 - DM are distributed among users(s) P3 - PNi. 

As mentioned, 4e user right (URCl, .... URCN2) is a single connection, 
blading, coupling ete. between one user and a content rig^ (which is required to decrypt a 
piece of content). Hierefore we now have five main entities in our system that could work as 

follows: 

- content (CI, C2, C3, . . ., CN2): content items are preferably encrypted (there are many 
options, for example with a unique key per content title) and can be anywhere in the system; 
a content item is in this and later embodiments linked indirectly to a user right certificate 
(URC) via a content right (CR), as explained in connection with Figure 5. 

- content right (CR; not shown; see e.g. Figure 5): contains cryptogi^c key(s) or other 
suitable protection means to access a certain (encrypted/protected) content item. The system 
is flexible in the sense that content rights can be made per content tide or even unique 
per specimen (copy) of content Content li^ts should be only transferred to compliant 
devices. A more secure rule is to enforce that content rights may be only transferred to 
compliant devices that are operated by authorized users (i.e. users that are aufliorized to have 
access to the specific content ri^ by means of their user rights). Content rights might also - 
be stored together with the content on for example an optical disk. However, content rights 
must be stored securely since Aey contain the content decryption key. 

- user right certificate (URCl, ... URCN2; not shown; see e.g. Figure 2b): a certificate, list, 
data structure or the like issued by &e content provider that authorizes a person to use a 
certain content right (CR) (belonging to a certain piece of content). User rights can in 
principle be anywhere in the system. Preferably, a user right certificate also comprise rules 

- -(e.g.-restricted to-viewers.l8 years. or.older, European market saay.etc.) desoibing die 

— a llowed a eessstg-arcertein uonleut item.- 



device (Dl. D2. D3, . . ., DM): a device «iat is used to play, operate, record, present, display. 

Additionally, a (oompUant) device can also preferably identify a 
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user by means of a personalized identification device (e.g. such as a smart-card, a mobile 
phone, a biometric sensor, etc.) and collect certificates (e.g. jfrom the smartcard, or firom other 
devices) that prove that the user is allowed to use a certain content right. This content right 
could be obtained firom the smait-card where it was stored (if it was stored there), or be 
5 obtamed (securely transferred) firom another compliant device on a network. 

- user/person (PI, P2, P3, . . ., PNi): A user is identified by some biometric or preferably by a 
personalized identification device (e.g. a smartcard, mobile phone, a mobile phone containing 
a smartcard or other types of devices that uniquely identifies a user) that he/she is wearing, 
carrying or has access to. A mobile phone conqnising a smart card or another device having 

10 storage means is preferred since it allows users to carry rights with ihem (for accessing 

content on off-line devices). The identification device may itself be protected by a biometric 
authentication mechanism, so that anyone other than the legitimate owner cannot use the 
identification device. A user may also be identified using public key technology or zero- 
knowledge protocols or a combination thereof. 

1 5 Please note that in practice content can only be accessed/used by means of a 

user operating a device. In the following text we assume that devices used in the system are 
compliant and ^'public" devices. This means that a device will adhere to certain operation 
rules (e.g. will not illegally output content on an unprotected digital inter&ce) and that 
ownership of a device is not important (public). Device compliance management, i.e. 

20 compliant device identification, renew-abihty of devices, and revocation of devices, will be 
assumed to be in place (using known techniques), and will not be considered fixrther here. 

By having the content items coupled to persons (e.g. via URCs) the ownership 
of content is easily reflected. Additionally, it is easier to administer a split of the AD, since 
by splitting the persons the appropriate content items is also split, since the content items are 

25 linked to persons. 

Hereby, one or more persons, one or more devices (via a person), and at least 
one content item (via a person) are linked together in the domain preferably with the use of 
certificates or alternatively with the use of lists or other suitable structures comprising the 
same described elements as for the certificates. It may be possible for the domain to comprise 

30 zero persons and/or zero devices and/or zero content items during some points. E.g. when 

initially building the domain it may comprise zero content items or zero devices bound to the 
domain, etc. 

In this way, a user that has been verified as belonging to the same domain as 
the content item being accessed may access the specific content using any device. 
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Additionally, a user that is usinjg a device that has been verified as belonging to Ihe same 
domain as the content item being accessed may access the specific content using that specific 
device. Further aU users may access the specific content item on that specific device. 

This gives enhanced flexibility for one or more users when accessing content 
in an AD while security of the content is still maintaining. 

Funher, during miport of new content items it is now possible to automatically 
assign tiie newly imported content to the person to whom the device used fi>r import belongs 
to, since the devices in the Autiiorized Domain (AD) now are coupled to persons. So now, it 
is not necessary to obtain and handle additional information relating to who hnported content 
must be linked to. In a preferred embodiment, it is possible to override or sidestep tins 
automatic assignment and still use additional information to assign ti»e content to anotiier 
person within the Autiiorized Domain (AD). In flie embodiment where a given device may be 
linked to mult«)le persons, a 'primary' person and one or more 'secondary' persons may be 
designated where tiie defeult automatic binding of an iniported content item (CI, C2, .... 
CN2) is done to tiie user (PI. P2, ...,PNi)tiiat is designated primary person of flie given 

device (Dl , D2, . . ., DM) used during import. 

Additionally, a simple and efficient way of implementing domain boundaries 
is enabled, smce tiie domain boundaries may be coupled to users only (as now botii devices 
and content are coupled to users). In effect, an Autiiorized Domain (AD) size limitation is 
provided, where the limitation relates to a maximum number of users instead of a maximum 
number of devices or a maximum number of sessions. Furtiier, a limit can be put on tiie 
maximmn nmnber of devices peruser, thereby makmg tiie total number of devices in flie 

domain dependent on tiie number of iBers. 

It is also to be understood tiiat instead of having one list or certificate 
comprising users (i.e. tiie DUG) and one list or certificate comprismg devices (i.e. DOC) 
above and in tiie following otiier arrangements may also be used. As an alternative, botii 
devices and users could be comprised in a single list/certificate. Furtiier, several 
lists/certificates comprising devices and/or several lists/certificates comprismg users and/or 
combinations thereof may be used just as well. 

Figure 2b illusliate how each content item is linked to persons via a user right 

—- according to one embodimentof the present invention.. _ 

Th-e-fgMteHHtems tei, C2. C3. Q>^2t^exonnected^xHh&iisersffl.T^r- 



P3, . . ., PNi) via user rights (URCl, . . . URCN2) (not shown), where preferably one content 
itL is' associated wifli one user right certificate specifymg which rigjits a given person (or 
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alternatively a given group of persons and/or all persons bound to the domain) have in 
relation to the specific content item (or alternatively, several or all content items in the 
Qomam). 

In the shown exaxnple, content CI, . . CN are connected to user right URCl, 
5 . . URC N, respectively, which all are connected to user PI, content C N+1 is connected to 
user rigjit URC N+1 connected to user P2, while content C N4-2, C N2 is connected to 
user rights URC N+2, - URC N2, which are distributed among users P4, , PNl. 

The user right (URCl, . . . URCN2) is preferably a certificate, list, data 
structure or the like issued by the content provider that authorizes a person to use a certain 

10 content right (CR) (belonging to a certain piece of content). User rights (when impl^nented 
as a certificate) can in principle he anywhere in the system. Preferably, a user right certificate 
also comprise rules (e.g. restricted to viewers 1 8 years or older, European market only, etc.) 
describing allowed access to a certain content item. 

Figure 3a schematically illustrate the coupling between users and devices 

15 according to a first aspect of the present invention. Shown are two Device Owner Certificates 
(DOCl, DOC2) each linked (as indicated by the arrows) to the same person/user, namely 
user PI . Further, DOCl is linked to authorized device Dl, while DOC2 is linked to 
authorized device D2 (as indicated by the arrows). This reflects in a very simple and reliable 
way that user PI has ownership of devices Dl and D2. So when device Dl or D2 is used to 

20 import content into the Authorized Domain (AD) (e.g. by user PI or another user), then it is 
possible to autonmtically assign the imported content to user PI. If the content should be 
assigned to another user it is preferably possible to override the automatic assignment 

In this embodiment, a DOC exists for each device. Each DOC in this particular 
embodiment comprises a unique identifier (Devi JD or Dev2_ID) of the given device and a 

25 unique identifier of the user (Pets. 1 JDD) that the given device belongs to. 

In a preferred embodiment, the device identifier for a given device, e.g. 
DevlJCD, is an (un^^hangeable at least by users) serial or ID number, etc. The person/user 
identifier could e.g. be an ID or serial number for a given person, a name, a hash value of a 
public key of the user or in general any unique identifier of a person. A user may e.g. 

30 identified by some biometric or preferably by a personalized identification device (e.g. a 
smartcard, mobile phone, a mobile phone comprising a smartcard or other types of devices 
that uniquely identifies a user) that he/she is wearing, carrying or has access to. A mobile 
phone comprising a smart card or another device having storage means allows users to cany 
rights with tiiem (for accessing content on off-line devices). In a networked environment, it is 
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not lequiied that the user carries the rights with him. The identification device may itself be 
protected by a biometric authentication mechanism, so «iat anyone oflier than the legitimate 
o^er camiot use the identification device. A user may also be identified using public key 
technology or zero-knowledge protocols or a combination thereof. 

The DOC is in one embodiment managed by a smartcaid (e.g. acting as a 
personAiser identification device). In this way. the smaxtcard acts as an AD management 
enabled device. In Ihis case, flie person private key is used to sign such certificates. 
Alternatively, an AD compliant device with AD management capabilities could manage such 
certificates, which however, would require fardier security measure. 

Figure 3b schematically illustrate flie coupling between users and devices 
according to a second aspect of the present invention. Shown are a single Device Owner 
Certificates (DOCl) linked (as indicated by the arrows) to the personAiser PI. Further. DOCl 
is linked to both aufliorized device Dl and to authorized device D2 (as indicated by the 
arrows). Tlus reflects in a very simple and reliable way that user PI has ownership of devices 
Dl and D2. In this embodiment, a DOC exists for each user. Each DOC in Ihis particular 
en^diment comprises a unique identifier (Devl.ID. Dev2_ID) for each device and a umque 

identifier of the user (Pers.l.ID) that flie given device(s) belongs to. 

Alternatively, DOCs as described bolh m coraiection with Figure 3a and 3b 

may be used in combination. ^ . 

. Figure 4 schematicaUy illustrate the elements of a Domain Users Certificate 
(DUO ITie Domain Users Certificate (DUC) comprises a Ksting of unique identifiers 
(Pers IDl Pers_ID2,...)foroneormoreusers^ersonsbelongingtothegivendomam,r.e. 

being'auti^orized users in tiie domain. THe given domain tiiat the listed users are autiiorized 
witirin is specified by Ihe value of flie Domain ID. A Domain Users Certificate (DUC) is 
Bnked to the Domain ID and thereby defines the authorized domain tiiat comprises bolh 
devices and users, since devices arc linked to users, as described above e.g. in comiection 

with Figures 3a and 3b. v 

Certificates according to Ihe present invention (DOC. DUC. ete.) could e.g. be 

implemented by weU-known autiiorization certificate. Additionally, one useful option is to 

, pot a Domain.© in a holder field of such a certificate hnplementing the DOC and/or the 

- . -DUG- - - - ' 1 ."' 

lary-^artial)-data^»*etHfe-of^areentent6OTtfflB6F, 



a content right (CR) and a user right certificate (URQ according to Ihe embodiment of flie 
present invention shown in Figure 2a. Shown is a content container (501) which contams 
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protected data/conteiit (Encr_Cont) e.g. obtained fiom a Service Provider. The content 
container further comprises a content identifier (ContJID) unique for the particular content 
item embedded in the content container. In Hiis way, the content identifier (ContJQ!>) is used 
to locate a given content item of the domain, e.g. by searching every content container 
5 belonging to the specific domain for a matching Cont_ID. 

Also shown is a content right (CR) (502) comprising a content identifier 
(Cont_JD) and a content encryption key (Cont Encr K). The content identifier is used to 
establish a link to the encrypted contrat item (in a content container) that the content 
encryption key is for, i.e. the content that the key is needed to de-crypt and thereby enable 
10 access to. In this particular embodiment, Ifae encryption key is a symmetrical key, i.e. the 
same key is used to both encrypt and decrypt data. Alternatively, other secure schemes may 
be used. 

Further shown is a user right (UR)/User Right Certificate (URC) (503). The 
URC comprises a content identifier (Cont_JD) used for linking a specific content item (and 

15 content right) with a specific URC. The URC also comprises a personAiser identifier 
(Pers_ID) that indicates which person the specific content is bound to. The personAiser 
identifier could e.g. be an ID or serial number for a given person, a name, a hash value of a 
public key of the user or in general any unique identifier of a person. 

Further, the URC comprises rights data (Rghts Dat) that define what the given 

20 user (as identified by the Pers_ID) is allowed to do in relation with the specific content item 
(contained in the contoit container comprising tiie same Cont_ID). These rights data may e.g. 
specify play rights (e.g. restricted to view^s 18 years or older, European market only, etc.), 
one-generation copy rights, a validity period, not used more than three times etc. Further, the 
rights data (Rghts Dat) may also define what all users are allowed to do in relation with the 

25 specific content item (which may be the same or different than the rights of the person 
identified by PersJDD). 

To illustrate the use of a content container, a contrat right (CR) and a user 
ri^t certificate (URC) according to the present invention consider the following example 
illustrating access to a given content item by a given user on a given device. 

30 The content identifier (ContJD) for the given content item that the user wants 

to access and the person identifier (Pers_ID) of the given user are obtained. The person 
identifier may e.g. be obtained on the basis of a personalized identification device (e.g. a 
PDA, a smart card, mobile phone, a mobile phone containing a smartcard, a biometric sensor. 
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etc. or in another way). The content identifier may e.g. be obtained on the basis of a file 
name, the selection of a file, fi»m a header of the content container, etc. 

It is checked if the content item and the user belong to the (same) Authorized 
Domain. Checking whether a user belongs to a domain is done by checking if flie person 
identifier (Pers JD) is comprised in a Domain Users Certificate (DUC) (shown in Figures 2a 
and 4). If so, then it has been verified that the user is part of the domain and is allowed to 
access content also being a part of Ihe same domain. 

Then it is checked wheflier the given content item also belongs to the same 
domain, by checking if the content identifier of the content item is bound to a person bound 
to the same domain, Le. by checking whether there exist a URC bound to the domam that 
comprises the same content identifier. If so, then Ae content item belongs to the same 
domain and the user (given that the user and/or the device that is used have been verified) 
thwefore has the right to access it. Furflier, the rigjits data (Rghts Dat) of the URC may also 
specify a restricted access to the content item. The rights data may specify rules, rights, 
conditions for the person identified with Pers_ID and/or rules, rights, conditions in general. 
For example, it could specify that that every user in the domain has play rights while the user 
Imked via PersJO) in addition has exctasive first generation copy rights. In effect, it is 
checked if the given content item is linked to a user belonging to the same Authorized 
Domain (AD) as tiie given user, and allowhig access for the given user via the given device 

and/or other devices to the content item if so. 

Usually, the user will obtain access to the content item using a specific device. 
If the user is not part of the domain or no valid user ID can be obtained (e.g. because it is a 
Mend accessing the content), then it has to be checked whether the specific device that the 
user is using to access ihe content item is part of the same domain as the content item in order 
to allow the user to access the content item, since he is not (or it can not be established that 
he is) part of the same domato as the content item. I.e. the device used for access has to be an 
authorized device within the same domain as the content item being accessed. This is done by 
obtaining the Pers.ID of the URC Aat the content item was bound to, Le. tiie content owner 
of the content item being accessed is determined. Here and in the following, content owner is 
meant as content owner withm tiie domam and not tiie entify ti>at has tiie right to assigns 

rights, such as^ors. musicJabels.fihn.studios..etc. In effect, it is checked..wbetber_a user.. . 

— IBe^v^^nWitem-tslBtidged ^. and a u s ei, ( he g ivenntevice4siinfcedtorhdeng^to-aie 
same Aufliorized Domain (AD), and allowing access for tiie given user and/or otiier users via 
the given device to the content item if so. 
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Then tibte device identifier (Dev_ID) of the given device being used to access 
the content is obtained. The obtained device identifier (Dev_ID) is nsed to determine Hie user 
that Ihe device belongs to. This is done by detennining which DOC (shown in Figure 2a, 3a 
and 3b) comprises tibe device identifier and retrieving the user identifier (Pers_ID) enclosed 
5 therein, i.e. this determines the device owner. 

Then it has to be checked wheth^ the content owner and the device owner are 
part of the same domain. This is done by checking whether the DUG comprising the domain 
identifier (pomain_ID) contains the user identifier (Pers_ID) of both the content owner and 
the device owner. If this is the case, then the user (and all other users) may use the specific 
10 device to access the specific content (and all other content of that donoain). 

These three steps of validating access to the content item, the user and tiie 
device may alternatively be done in another order than the one described and e.g. also in 
parallel at least to a certain extent 

After it has been verified that 
15 - the current user and the user that the content item being accessed belongs to and/or that 

the user lliat the device belongs to and the user that the content belongs to is part of the same 
domain as the content, 

- then the obtained content identifier is used to locate the content right (CR) of the specific 

content item being accessed in order to obtain the cryptographic key that has to be used to 
20 deciypt the encrypted content item. Further, the content container coixQ>rising the encrypted 

content item is also located using Ihe content identifier. 

Finally, the key in the content right (CR) is used to deciypt the content item 

which is now accessible, e.g. for rendering, copying on an optical disk, editing, etc. 

Alternatively, the content item may also be decrypted using the content right before sending 
23 it to the device for access, whereby only the content item needs to be transmitted. However, 

this requires special measures in order to protect the content item during transfer so that it is 

not possible to 'leak' the unprotected content. 

This process is illustrated in Figure 5 by the arrows linking the ContJDD of the 

various stmctures. 

30 In this way, if a specific user that has been verified as belonging to the same 

domain as the content item being accessed then there is, as mentioned, no need for checking 
whether the device he is using also belongs to the same domain. Further, the validated user 
may access the specific content item using aO devices. Likewise, if a specific device has been 
verified as belonging to the same domain as the content item being accessed, then all us^ 
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may access Ihe specific content item using that specific device and there is no need to verify 
the user. 

Therefore, enhanced flexibility fOT one or more users vrhen accessing content 
in an AD is obtained while security of the cont^t is still maintaining. 

5 Figure 6 schematically iUustrate an exemplary system conqwising devices and 

persons forming an authorized domain (AD). Shown is network (508) that enables 
communication between a number of devices e.g. in a household. Devices in the example is a 
television set (504), a digital video system (510), a music set (509) and a portable device 
(507) that is in wireless communication with the network (508) via a wireless access point 

10 (506). Further schanoatically shown is a user/person (505). 

In one exemplary scenario, an Authorized Domain (100) has the user (505) 
bound to it in addition to the television set (504), the digital video (510), the music set (509) 
and a number of content items (not shown) (all bound according to Figure 2a via 
persons/users). 

15 In this scenario, the user wants to access a ffven content item on the portable 

device (507). He may be located the same place as the devices or at another place (e.g. in a 
hotel room). For a user to obtain access to the content item according to Ihe invention, it has 
to be checked that the person (505) belongs to the same domain (100) as Ihe content owner 
since the portable device (507) does not. This may be done by uniquely identifying the user 

20 e.g. using a smart card reader, e.g. in flie portable device (507), which then may transfer the 
User ID to the network (508). The content right and the content item is assumed to be on the 
portable device (507) (otherwise it may be transmitted there). The user is flien checked as 
described in connection with Figure 5. After validation of 4e user, then ihe content item may 
be accessed. 

In another exemplary scenario, an Authorized Domain (100) has the television 
set (504), the digital video (510), the music set (509) and Ihe portable device (507) bound to 
it in addition to a number of content items (not shown) (all bound according to Figure 2a via 
persons/users). The user (505) is in this scenario not bound to the Authorized Domain (1 00) 
as he e.g. may he a neighbor or fiiend visiting. In this scenario, the user also wants to access 
30 a given content item on the portable device (507). 

.For a^user.to.obtain-access.to.the content.item.ax;coi5!mg to.MiQY^tion, it _ _ 

K5=Tni5e^^iared:ihatThBTJw^ 
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(100) as the owner of the content smce Ihe person (505) does not. 
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This may be done by checking if the portable device (507) is bound to Hie 
same domain as the content item as described in connection with Figure S. After validation of 
the device, then the content item may be accessed by the user on the portable device (507). 

In the claims, any reference signs placed between parentheses shall not be 
constructed as limiting the claim. The word "comprising" does not exclude the presence of 
elements or steps olher than those listed in a claim. The word "a" or "an" preceding an 
elCTOLcnt does not exclude the presence of a plurality of such elements. 

The invention can be inoplemented by means of hardware comprising several 
distinct elements, and by means of a suitably programmed computer. In the device claim 
enumerating several means, several of Ihese means can be embodied by one and the same 
item of hardware. The mere &ct that certain measures are recited in mutually different 
dependent clain:is does not indicate that a combination of these measures cannot be used to 
advantage. 
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1 . A method of generating an Authorized Domain (AD), the method comprising 
the steps of 

- selecting a domain identifier (DomainJO)) uniquely identifying the Authorized Domain 
(100), 

S - binding at least one user (PI, P2, . . PNi) to the domain identifier (DomainJDD), 

- binding at least one content item (CI, C2, . . CN2) to at least one user (PI, P2, . . PNi), 
and 

- binding at least one device (Dl, D2, DM) to at least one user (PI, P2, PNi), 

- thereby obtaining a number of devices (Dl, D2, • . DM) and a number of users (PI , P2, . . ., 
10 PNi) that is authorized to access a content item (CI, C2, CN2) of said Authoiized Domain 

(100). 

2. A method according to claim 1 , characterized in that 

- each device (Dl , D2, . . ., DM) may be bound to only a single user, or 

15 - each device (Dl, D2, . DM) may be bound to 'several users, where one user is indicated as 
a primary user for that particular device (Dl , D2, . . DM). 

3 . A method according to claim 2, characterized in that the method furrier 
comprises the step of: 

20 - importing, on a given device (Dl, D2, ., DM), at least one content item (CI, C2, . CN2) 
into the Authorized Domain (AD) given by the domain identifier (Domain_ID) by 

- automatically binding, by default, the at least one imported content item (CI, C2, . . CN2) 
to the single user (PI, P2, PNi) that Ihe given device (Dl, D2, DM) is bound to or to 
the user (PI, P2, , . ., PNi) indicated as primary user for the given device (Dl, D2, . . DM), 

25 or 

-binding the at least one iiiq>orted content item (CI, C2, CN2) to another user (PI, P2, 
PNi) using additional information, when non-de&ult binding is to be used. 
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4. A method according to claiins 1-3, characterized in fliat the method further 
Courtises 

- providing an Authorized Domain (AD) size limitation, where the limitation relates to a 
maximum number of users. 

5 

5. A method according to claims 1 - 4, characterized in fliat the method further 
comprises 

using a user identification device as a personal Authorized Domain (AD) manager, and/or 
using a personal mobile device as a personal Authorized Domain manager, and/or 
10 using a mobile phone as a personal Authorized Domain manager, and/or 

using a PDA (personal digital assistant) as a personal Authorized Domain manager and/or. 

6. A method according to claims 1 - 5, characterized in Hiat 4e step of binding at 
least one user (PI, P2, PNi) to the domain identifier (Domain_ID) comprises: 

1 5 obtaining or generating a Domain Users List (DUG) comprising Hie domain identifier 

(Domain_ID) and a unique identifier (Pera_IDl, Pers_ID2, PersJDNi) for a user (PI, P2, 
. . ., PNi) thereby defining that the user is bound to «ie Authorized Domain (100). 

7. A method according to claims 1 - 6, characterized in that 

20 the step of binding at least one device (Dl, D2, DM) to at least one user (PI, P2, .... PNi) 
comprises 

obtaining or generating a Device Owner List (DOC) comprising a unique identifier 
(Pers_IDl,Pers_ID2. ...,Pers_IDNi)forauser (P1,P2, PNi) and a unique identifier 
(Dev_IDl, Dev_ID2, .... Dev.IDM) for each device (Dl, D2, .... DM) belonging to the user 
25 thereby defining that the at least one device is/aie bound to the user (PI, P2, . . ., PNi), 

or in that the step of binding at least one device (Dl. D2 DM) to at least one user (PI, P2. 

...,PNi) comprises 

obtaining or generating a Device Owner List (DOC) for each device (Dl, D2, . .., DM) to be 
bound, the Device Owner List (DOC) conqirising a unique identifier (Pers_lDl, Pers_ID2, 
30 .„,Pers_IDNi)forauser(Pl,P2. ...,PNO and a unique identifier (Dev_IDl,Dev_ro2, 

_ ^ - mi TYi nM^ belonome tQ_thejiser thereby.jipfining..thM Ihe 



5Tiser(Pl,"P2; 
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8. A method according to claims 1—7, characterized in that the step of binding at 
least one content item (CI, C2, . . CXiz) to the Authorized Domain (AD) comprises: 
binding a content item (CI, C2, . . CNa) to a User Right (URCl, URC2, . . . URCN2), where 
said User Right (URC1,URC2, ... URCN2)isboundtoauser(Pl,P2, ...,PNi) bound to the 

S Authorized Domain (1 00). 

9. A method according to claim 8, characterized in that the User Right (URCl, 
URC2^ . . . URCN2) comprises rights data (Rghts Dat) representing which rights exists in 
relation to flie at least one content item (CI, C2, . CN2) bound to the User Right (URCl, 

10 URC2, ...URCN2). 

10. A method according to any one of the previous claims, characterized in that 
the method furth^ comprises Hie step of controlling access, by a given device being operated 
by a given user, to a given content item (CI , C2, . . ., CN2), the step comprising: 

1 5 checking whether a user, the given content item (CI , C2, . . ., CN2) is linked to, and a user, the 
given device is linked to, belongs to the same Authorized Domain (AD), and allowing access 
for the given user and/or other users via the given device to the content item if so, 
and/or 

checking if the given content item (CI, C2, CN2) is linked to a user belonging to the same 
20 Authorized Domain (AD) as the given user, and allowing access for the given user via the 
given device and/or other devices to the content item if so. 

11. A method according to any one of claims 6-9, characterized in that the 
method fiirther comprises the step of controlling access, by a given device being operated by 

25 a given user, to a given content item (CI, C2, . . ., CN2) being bound to the Authorized 
Domain (100) and having a unique content identifier (Cont_ID), comprising: 
checking if the Domain User List (DUC) of the Authorized Domain (100) comprises both a 
first user identifier (Pers_ID), comprised in a Device Owner List ^DOC) comprising an 
identifier (DevlJDD, Dev2JD) of the given device, and a second user identifier (PersJED), 

30 linked to the given content item (CI , C2, . . CN2), thereby checking if the user bound to the 
given device is bound to the same Authorized Domain (100) as the user boimd to the content 
itemi, and 

allowing access to the given content item (CI , C2, . . CN2) by the given device (Dl, D2, . . 
DM) operated by any user 
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and/or 

checking if the Domain User List (DUG) of the Authorized Domain (100), that Hxe content 
item is bound to, comprises a user identifier (Pers_ID) of the given user (PI, P2, . . PNi) 
thereby checking if the given user is bound to the same Authorized Domain (100) as the 
content item, and 

allowing access to the given content item (CI, C2, CNa) by any device including the 
given device operated by the given user. 

12. A method according to claims 10-11, characterized in that the step of 
controlling access of a given content item fijrttier comprises: 

checking that tibe User Right (URCl , URC2, . . . URCN2) for the given content item specifies 
that the given user (PI, P2, . . PNi) has the right to access the given content item (CI , C2, 

CN2) and only allowing access to the given content item (CI, C2, . . ., CN2) in the 
affirmative. 

13, A method according to claims 1 - 12, characterized in that every content item 
is encrypted and that a content right (CR) is bound to each content item and to a User Right 
(URC 1 , URC2, . . . URCN2), and that the content right (CR) of a given content item 
comprises a decryption key for decrypting the given content item, 

14^ A method according to claims 6-13, characterized in that 

the Domain Users List (DUQ is hnplemented as or included in a Domain Users Certificate, 

and/or 

the Device Owner List (DOC) is implemented as or included in a Device Owner Certificate, 
and/or 

the User Right (URCl, URC2, . . URCN2) is implemented as or included in a User Right 
Certificate. 

15. A system for generating an Authorized Domain (AD), the system comprising: 
means for obtaining a domain identifier (Domain^ID) uniquely identifying the Authorized 
-Domain (100), - -- — - ~ - — - — — 



means forbmdmg at least one content item (CI, C2, . .., CN2) to at least one user (PI, P2, . . 
PNi), and 
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means for binding at least one device (Dl , D2, . . DM) to at least one user (PI , P2, . . PNi), 
and 

thereby obtaining a nuniber of devices (pi, D2, . . DM) and a number of persons (PI, P2, 
. . PNi) that is authorized to access a content item of said Authorized Domain (100). 

16. A system according to claim 1 5, characterized in that 
each device (Dl, D2, . . DM) may be bound to only a single user, or 

each device (Dl, D2, . . DM) may be bound to several users, where one user is indicated as 
a primary user for that particular device (Dl, D2, . . DM). 

17. A system according to claim 16, characterized in that the system further 
comprises means for: 

importing, on a given device (Dl, D2, DM), at least one content item (CI, C2, CN2) 
into the Authorized Domain (AD) given by the domain identifier (Domain_ID) by 
automatically binding, by default, the at least one imported content item (CI , C2, . . CN2) to 
the single user (PI, P2, . . PNi) that the given device (Dl, D2, . . ., DM) is bound to or to the 
user (PI, P2, .,.,PNi)indicatedasprimaiyuser for the given device (D1,D2, ...,DM),or 
binding the at least one imported content item (CI, C2, CN2) to another user (PI, P2, . . ., 
PNi) using additional information, when non-de&ult binding is to be used 

18. A system according to claims 15-17, characterized in that the system further 
comprises means for 

providing an Authorized Domain (AD) size limitation, where the limitation relates to a 
maximum number of users. 

19. A system according to claims 15-18, characterized in that the system further 
comprises means for: 

using a user identification device as a personal Authorized Domain (AD) manager, and/or 
using a personal mobile device as a personal Authorized Domain manager, and/or 
using a mobile phone as a personal Authorized Domain manager, and/or 
using a PDA (personal digital assistant) as a personal Authorized Domain manager. 

20. A system according to claims 15 — 19, characterized in that the means for 
binding at least one user (PI, P2, . . ., PNi) to the domain identifier pomainJD) is adapted 
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to: 

obtain or generate a Domain Users List (DUG) comprising tbe domain identifier 
(Domain_ID) and a unique identifier (Pers_IDl, Pers_ID2, . . PersJDNi) for a user (PI, P2, 
PNi) thereby defining that the user is bound to the Authorized Domain (100). 

21 . A system according to claims 1 5 - 20, characterized m that 

the means for binding at least one device (Dl, D2, . .., DM) to at least one user (PI, P2 

PNi) is ad^ted to 

obtain or generate a Device Owner UsX (DOC) comprising a unique identifier (Pers_IDl, 
Pers_ID2, ...,Pers_IDNi) for auser (PI, P2, .... PNi) and a unique identifier (Dev_IDl, 
Dev_ID2, ...,Dev_IDM) for each device (D1,D2, DM) belonging to the user thereby 
defining that the at least one device is/are bound to the user (PI , P2, . . PNi), 
or in that the means for binding at least one device (Dl, D2, . . DM) to at least one user (PI, 
P2, . . ., PNi) is adapted to 

obtain or generate a Device Owner List (DOC) for each device (Dl , D2, . . ., DM) to be 
bound, the Device Owner List (DOC) comprising a unique identifier (PeisJDl, Pers_ID2, 
. . ., PersJDNi) for a user (PI, P2, . . ., PNi) and a unique identifier (DevJDl, Dev_ID2, ., 
DevJDM) for a device (Dl, D2, . . ., DM) belonging to the user thereby defining that the 
device is boimd to the user (P 1 , P2, . . . , PNi). 

22. A system according to claims 15-21, characterized in that the means for 
binding at least one content item (CI , C2, . . ., CN2) to ihe Authorized Domain (AD) is 
adapted to: 

bind a content item (CI. C2 CN2) to a User Right (URCl, URC2, . . . URCN2), where 

said User Right (URCl, URC2, . . . URCN2) is bound to a user (PI, P2, . . ., PN,) bound to the 
Authorized Domain (100). 

23. A system according to claan 22, characterized in that the User Right (URCl, 
URC2, . . . URCN2) comprises rights data (Rghts Dat) representing which rights exists in 
relation to the at least one content item (CI, C2 CN2) bound to Ihe User Right (URCl, 

- -URC2, ...URCNa).- ~ - - 



24. A system accordmg to claims 15-23, characterized in that Ihe system fijrther 

comprises the means for controlling access, by a given device being operated by a given user. 
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to a given content item (CI, C2, CN2)> where liie means is adapted to: 
check whether a user, the given content item (CI, C2, . . ., CN2) is linked to, and a user, the 
givra device is hnked to, belongs to Ihe same Authorized Domain (AD), and allowing access 
for the given user and/or other users via the given device to the content item if so, 
5 and/or 

chedc if the given content item (CI, C2, . . CN2) is linked to a user belonging to the same 
Authorized Domain (AD) as the given user, and allowing access for the given user via the 
given device and/or other devices to the content item if so. 

10 25. A system according to any one of claims 20 — 24, characterized in that the 

system further comprises means for controlling access, by a given device being opemted by a 
given user, to a given content item (CI, C2, . . CN2) being bound to the Authorized Domain 
(100) and having a unique content identifier (Cont_ID), where the means is adapted to: 
check if the Domain User List (DUC) of the Authorized Domain (100) comprises both a first 

IS user identifier (Pers_ID), comprised in a Device Owner List (DOC) comprising an identifier 
(Devi JDD, Dev2JQD) of the givra device, and a second user identifier (Pers_ID), linked to 
the given content item (CI, C2y . . CN2), thereby checking if the user bound to the given 
device is bound to the same Authorized Domain (100) as the user bound to the content item, 
and 

20 allow access to the given content item (CI , C2, . . CN2) by the given device (Dl, D2, . . 
DM) operated by any user 
and/or 

check if the Domain User List (DUC) of the Authorized Domain (100), that the content item 
is bound to, comprises a user identifier (PersJD) of the given user (PI, P2, . .., PNi) thereby 
25 checking if the given user is bound to the same Authorized Domain (100) as the content item, 
and 

allow access to the given content item (CI, C2, CN2) by any device including the given 
device operated by the given user. 

30 26. A system according to claims 24 — 25, characterized in that the means for 

controlling access of a given content item is further adapted to: 

check fliat the User Right (URCl, URC2, . . . URCN2) for the given content item specifies 
that the given user (PI, P2, . . PNi) has the right to acc^s the given content item (CI, C2, 



Best Available Copy 



PHNL040315EPP 



29 26.03.2004 
CN2) and only allow access to the given content item (CI, C2, .... CN2) m the 
afiSnnative. 



27. A system according to claims 1 5 - 26. characterized in tbat every content item 
is encrypted and that a content right (CR) is bound to each content item and to a User Right 
(URCl , URC2, . . . URCN2), and lhat the content right (CR) of a given content item 
comprises a decryption key for decrypting the given content item. 

« 

28. A system according to claims 20 - 27, characterized in that 

the Domain Users List (DUG) is implemented as or mcluded in a Domain Users Certificate, 



and/or 



ice Owner List (DOC) is implemented as or included in a Device Owner Certificate, 



the Device 
and/or 

the User Right (URCl. URC2, .... URCN2) is implemented as or included in a User Right 
Certificate. 

29. A computer readable medium having stored thereon instructions for causing 
one or more processing units to execute the method according to any one of claims 1 - 14. 

30. An Authorized Domain (AD) characterized in that the Authorized Domain 
(AD) has been generated by the method accordhig to any one of claims 1 - 14 or by the 
system according to any one of claims 1 5 - 28. 

31. An Authorized Domam (AD) structure comprismg 

a domain identifier (Domain.ID) uniquely identifymg the Authorized Domain (100). 
a representation of at least one user (PI, P2, .... PNi) bound to the domain identifier 
(Domain_ID), 

^ ^r^^fmf tftm (CI C2 CNo) bound to at least one user (PI, 
a representation of at least one content item i , o-i, . . . , w^2; 

P2 , PNi), and 

a rlp^sentation of at least one device (Dl, D2, .... DM) bound to at least one user (PI, P2, 

-thW-definmg^iiomberx^fdevic es (Dl, D2 Dl ^d^numb«^f^sers-^P-2^.^ 

mo that is authorized to access a content item (CI, C2. .... CN.) of said Autiiorized Domain 
(100). 
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This invention relates to a system and a mefhod of geneiating an Authorized 
Domain (AD), the method comprising the steps of selecting a domain identifier (Domain^ID) 
uniquely identifying the Authorized Domain, binding at least one user (PI, P2, PNi) to 
the domain identifier (Domain_ID), binding at least one content item (CI , C2, . . CN2) to at 
5 least one user (PI, P2, PNi), and binding at least one device (Dl, D2, DM) to at least 
one user (PI, P2, . . PNi), thereby obtaining a number of devices (Dl, D2, . . DM) and a 
number of users (PI, P2, PNi) that is authorized to access a content item (CI, C2, 
CN2) of said Authorized Domain (1 00). 

Hereby, a number of verified devices (Dl, D2, . . ., DM) and a number of 
10 verified persons (PI, P2, . . ., PNi) that is authorized to access a content item of said 
Authorized Domain (100) is obtained. Additionally, it is possible to enable automatic 
assignment of imported content being imported on a device belonging to the Authorized 
Domain (AD) since it now is given to which person a given authorized device belongs to. 
Further, a simple and efficient way of implementing domain boundaries is enabled. 

15 

Figure 2a. 



PHNL040315 



1/4 




Best Available Copy 

PHNL040315 



2/4 




Figure 2b 




Figure 3a 




Figwe-^ 




.PHNL040315 



3/4 



DUG 




Figure 4 




Figure 5 



« 



PHNL040315 

4/4 



100 




Figure 6 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of the original 
documents submitted by the appHcant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 

□ FADED TEXT OR DRAWING 

□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

H) LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 



IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



